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We present attacks that show that unconditionally secure two-party classical computation is 
impossible for many classes of function. Our analysis applies to both quantum and relativistic 
protocols. We illustrate our results by showing the impossibility of oblivious transfer. 
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I. INTRODUCTION 

Consider two parties wishing to compute some joint function of their data (two millionaires might wish to know 
who is richer, for example). A secure computation of such a function is one for which the only information the first 
party gets on the input of the second is that implied by the outcome of the computation, and vice versa. 

In this work, we focus on unconditional security, whereby we seek to construct a protocol whereby the two mistrustful 
parties can communicate in order to achieve the task. Security will rely on a belief in the laws of physics. We allow 
each party to exploit the properties of both quantum mechanics and relativity in order to achieve security. While the 
security benefits of the former are well known, relatively little investigation has been made into the extra security 
afforded by the latter. One positive result in relativistic cryptography is that it allows variable-bias coin tossing to be 
realized In this paper, we show that even using both relativistic and quantum protocols, there are a large class 
of functions for which secure two-party computation is impossible. A discussion of relativistic cryptography can be 
found in Refs. 0,0. 

We call a computation classical, in spite of it potentially relying on quantum communication for its implementation, 
because its inputs and outputs are classical data. 

Two-party computations can be divided into several classes, depending on the number of parties that receive the 
output (the sidedness of the function) and whether the function is deterministic or random. In the two-sided case, 
we will further specialize to single function computations, where both parties receive identical outcomes. What 
is presently known about such functions is summarized in Table [I] For a longer introduction to secure two-party 
computation, see Ref. 

In this paper, we will show the impossibility of various secure two-party computations, by giving an explicit cheating 
attack. A summary of the argument is as follows. In a classical computation, each party is supposed to input one 
of a finite set of classical values. However, the impossibility of classical certification 4| means that one party cannot 
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TABLE I: Functions computable with unconditional security in two-party computations using (potentially) both quantum and 
relativistic protocols. / indicates that all functions of this type are possible, X indicates that all functions of this type are 
impossible, /* indicates that some functions of this type are possible and all functions of this type are conjectured to be 
possible, and X* indicates that some functions of this type are impossible. 
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detect when the other inputs a superposition of such inputs. By keeping all decisions at the quantum level until the 
end of the protocol, we can model the entire computation as unitary. The insecurity of the computation then follows 
because there exists a measurement on the output state generated by the superposed input, which allows the cheating 
party to better distinguish between the possible inputs of the other party than if they had been honest. In most cases, 
we have impossibility proofs for the simplest non-trivial cases of each class of function. We discuss at the end of the 
paper the possible generalizations. 

In this paper we consider perfectly secure protocols — i.e. those for which the probability of cheating is strictly zero. 
Further, our protocols are perfectly correct; that is, the probability of error is strictly zero in the case where both 
parties are honest. One would like to extend our results to cover the case of protocols for which the probability of 
cheating and of error tend to zero in the limit that some security parameter tends to infinity. 

II. COMPUTATIONAL MODEL 

We use a black box model for secure computation. A black box represents an idealized version of a protocol. It can 
be thought of as an unbreakable box which has an input and output port for each party. It features an authentication 
system (e.g., an unalterable label) so that each party can be sure of the function it computes. An appropriately 
constructed protocol will prescribe a sequence of information exchanges mimicking the essential features of such a 
black box. If one of the parties deviates from the prescribed exchanges, the protocol should abort. The question of 
whether or not it is possible to construct a protocol mimicking a given black box will not be addressed 1 . Rather, we 
show that cheating is possible even if such black boxes do exist. 

Since in any real protocol all measurements can be delayed until the end, we consider only black boxes which 
perform unitary operations. The outcomes of such unitary operations are distributed amongst the parties. At the end 
of a classical computation they are measured to generate the outcome. For a general two-sided function, we consider 
the unitary, Uf, such that 

U f \i) A \j) B |0) |0) = \i) A \j) B £ a*,. \kk) AB , (1) 

k 

where {oq _•} depend on the function being computed, and the index k runs over all possible outputs, i and j correspond 
to Alice's and Bob's inputs respectively, and their output 2 is k which is read by measurement in an orthonormal basis. 
Outcome k occurs with probability |a*^.| 2 . If the function is deterministic, then, for each i and each j, |ce* - 1 = 1 for 
one value of k, and is zero for all others. More generally, the unitary, Uf performing 

U' f \i) A \j) B |0) |0) |0) = \i) A \j) B Y, \kk) AB \^) AB , (2) 

k 

would be of use to compute such a function, where the final Hilbert space corresponds to an ancillary system the black 
box uses for the computation (and has arbitrary dimension). In the protocol mimicking such a box, this final state 
must be distributed between Alice and Bob in some way, such that the part that goes to Bob, for instance, contains 
no information on Alice's input. 

If black boxes implementing such unitaries were to exist, then each party has two ways of cheating. The first is 
by inputting a superposition of states into the protocol, rather than a member of the computational basis as they 
should. The second involves using a different measurement on the output of the black box than that dictated by the 
protocol. It follows from the impossibility of classical certification 4] that a real protocol cannot prevent the first 
attack. Under these attacks, insecurity of functions under Uf implies insecurity under Uf, as we show below. Hence 
it is sufficient to consider only the former. 

Consider the case where Alice makes a superposed input, ^\ \i), rather than a single member of the computational 
basis. Then, at the end of the protocol, her reduced density matrix takes either the form 

a 3 = a ia *,a k id ® l*><*l (3) 

,k 



1 However, we do eliminate certain types of black box, e.g. ones that allow classical certification (see later). 

2 Recall that we have restricted to single function computations. 
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a] = « I 4^(4 J )1^'I ® l*X*l ® trsl^X^J, (4) 

where the first case applies to J7/, and the second to UL 

Alice is then to make a measurement on her state in order to distinguish between the different possible inputs Bob 
could have made, as best she could. We will show that there exists a trace-preserving quantum operation that Alice 
can use to convert a'j to ijj for all j. It follows that Alice's ability to distinguish between {<j'j\j is at least as good as 
her ability to distinguish between {aj}j. 

In order that the protocol functions correctly when both Alice and Bob are honest, we require trB|V%jXWjl = p L ' k 
to be conditionally independent of j given k (otherwise Alice can gain more information on Bob's input than that 
implied by k by a suitable measurement on her part of this state). By expressing p l,k in its diagonal basis, p h = 
E m X*Uf\m){m\ A {uf)\ we have 

l^i) = E \[>^Uf \m) A ® U^ k \m) B , (5) 
m 

where {|w) A } m form an orthogonal basis set on Alice's system and likewise {\m) B } m is an orthogonal basis for Bob's 
system. Bob then holds 

teA\^M,j\ =E A -^' ,fe | m Xm| fl (C/^ fe ) t . (6) 
This must be conditionally independent of i given hence so must A^ fc and Ul^' ■ Thus 

l^i) = E \f^( U A ® U^ k ) \m) A \m) B . (7) 

rn 

It hence follows that there is a unitary on Alice's system converting |^ •) to \ip k 2 •) for all ii, 12, and that, furthermore, 
this unitary is conditionally independent of j given k. Likewise, there is a unitary on Bob's system converting l^i,^) 
to \1pij2) f° r au ii> J2, with this unitary being conditionally independent of i given k. 

Returning now to the case where Alice makes a superposed input. The final state of the entire system can be 
written 

E a *<3 Ma \J) B \k) A \k) B (Ua H A )(U B ^ \m) B ). (8) 

i.k 

Alice can then apply the unitary 

V = E l*X*U ® 1 b ® |fc)(fcU ® Is ® (E^) 1 ® Is (9) 
to her systems leaving the state as 

E l*>A U>B I^B E V^l™^ ^ Mb)- (10) 

Alice is thus in possession of density matrix 

E a^ai^^ym ® i*x*i ® ?i (n) 

where p k A = J2 m ^ml m X m U- O n tracing out the final system, we are left with Oj as defined by ([3]). 

We have hence shown that there is a trace-preserving quantum operation Alice can perform which converts a'j to 
(j j for all j, and that this operation is conditionally independent of j given k. Hence Alice's ability to distinguish 
between Bob's inputs after computations of the type U'j is at least as good as her ability to distinguish Bob's inputs 
after computations of the type Uf, and so, under the type of attack we consider, insecurity of computations specified 
by Uf implies insecurity of those specified by U'j. We will therefore consider only type Uf in our analysis. An 
analogous argument follows for the one-sided case, and likewise for the deterministic cases (which are special cases of 
the non-dctcrministic ones). 



We now state the security condition that will be shown to be breakable for a large class of computation. 
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Security Condition. Consider the case where Bob is honest. For a computation to be considered secure, there 
can be no input, together with a measurement on the corresponding output that gives Alice a better probability of 
guessing Bob's input than she would have gained by following the protocol honestly and making her most informative 
input. This condition must hold for all forms of prior information Alice holds on Bob's input. 

Let us emphasize that the use of the black box model does not restrict the scope of our proofs: these apply to all 
real protocols. The model is common to discussions of universal composability (see Section [Vj) and makes manifest 
that is sufficient for parties to behave dishonestly only in the initial and final steps of any protocol in order to break 
our security condition 3 . 

III. DETERMINISTIC FUNCTIONS 

We first focus on the deterministic case. Lo showed that two-input deterministic one-sided computations are impos- 
sible to compute securely 0], hence only two-sided deterministic functions remain 4 . There is a further consideration 
when discussing deterministic functions that leads us to restrict the class of functions further. 

Suppose that the outcome of such a protocol leads to some real- world consequence. In the dating problem 0], for 
example, one requires a secure computation of k = i X j, where i, j £ {0, 1}. If the computation returns k = 1, then 
the protocol dictates that Alice and Bob go on a date. This additional real- world consequence is impossible to enforce, 
although both Alice and Bob have some incentive not to stand the other up, since this results in a loss of the other's 
trust. A cost function could be introduced to quantify this, but since suitable cost assignments must be assessed case 
by case, it is difficult to develop general results. To eliminate such an issue, we restrict to the case where the sole 
purpose of the computation is to learn something about the input of the other party. No subsequent action of either 
party based on this information will be specified. 

We say that a function is potentially concealing if there is no input by Alice which will reveal Bob's input with 
certainty, and vice versa. If the aim of the computation is only to learn something about the input of the other 
party, and if Bob's data is truly private, he will not enter a secure computation with Alice if she can learn his input 
with certainty. We hence only consider potentially concealing functions in what follows. In addition, we will ignore 
degenerate functions in which two different inputs are indistinguishable in terms of the outcomes they afford. If the 
sole purpose of the computation is to learn something about the other party's input, then, rather than compute a 
degenerate function, Alice and Bob could instead compute the simpler function formed by combining the degenerate 
inputs of the original. 

An alternative way of thinking about such functions is that they correspond to those in which there is no cost for 
ignoring the real world consequence implied by the computation. At the other extreme, one could invoke the presence 
of an enforcer who would compel each party to go ahead with the computation's specified action. This would have 
no effect on security for a given function (a cheating attack that works without an enforcer also works with one) but 
introduces a larger set of functions that one might wish to compute. There exist functions within this larger set for 
which the attack we present does not work. 

We specify functions by giving the matrix of outcomes. For convenience the outputs of the function are labelled 
with consecutive integers starting with 0. We consider functions that satisfy the following conditions: 

1. (Potentially concealing requirement) Each row and each column must contain at least two elements that are the 
same. 

2. (Non degeneracy requirement) No two rows or columns should be the same. 

For instance, if i,j € {0, 1, 2} (which we term a 3 x 3 function), the function f(i,j) = 1 — &y is 
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3 In any case, if a protocol mimicks a black box correctly, then there is no scope for cheating during its implementation. 

4 Lo did not consider relativistic cryptography, but his results apply to this case as well p[. 
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TABLE II: This function can be taken as the most general 3x3 function satisfying conditions 1 and 2, where a ^ b, and a — 
or b = or b = 1. The dots represent unspecified (and not necessarily identical) entries consistent with the conditions. 



This function is potentially concealing, and non-degenerate. 

We consider the case of 3 x 3 functions. We first give a non-constructive proof that Alice can always cheat, and 
then an explicit cheating strategy. 

Let us assume that we have a black box that can implement the protocol, i.e., that performs the following operation: 

Uf \i) A \j) B |0) |0) = \i) A \j) B \f(i,j)) A \f(i,j)) B ■ (12) 

The states {1*)^} are mutually orthogonal, as are the members of the sets {!/(*> j))^} and {|/(*> j))s}- This 

ensures that Alice and Bob always obtain the correct output if both have been honest. The existence of such a black 
box would allow Alice to cheat in the following way. She can first input a superposition, J"V_ Q \i) A in place of \i) A . 
Her output from the box is one of po, pi, P2, the subscript corresponding to Bob's input, j, where (using the shorthand 

tr fl (|*»=tr fl (|*X*l)) 

Pi = trs (u f a i \*)a \3)b I°>a |0) b ^ ■ (13) 

Alice can then attempt to distinguish between these using any measurement of her choice. 
The main result of this section is the following theorem. 

Theorem 1. Consider the computation of a 3 x 3 deterministic junction satisfying conditions [7] and\^ For each 
function of this type, there exists a set of coefficients, {ai} such that when Alice has a uniform prior distribution 
over Bob's inputs and she inputs Y^i=o ai I*) a ^ e P r otocol, there exists a measurement that gives her a better 
probability of distinguishing the three possible (j dependent) output states than that given by her best honest strategy. 

Proof. We will rely on the following lemma. 

Lemma 1. All 3x3 functions satisfying conditions 1 and 2 can be put in the form of the function in Table [771 

Proof. The essential properties of any function are unchanged under permutations of rows or columns (which corre- 
spond to relabelling of inputs), and under relabelling of outputs. In order that the function is potentially concealing, 
there can be at most one column whose elements are identical. By relabelling the columns if necessary, we can ensure 
that this corresponds to i = 2. Relabelling the outputs and rows, if necessary, the column corresponding to i = 
has entries (/(0, 0), /(0, 1), /(0, 2)) = (0, 0, 1). The column corresponding to i = 1 then must have entries (a, a, b) or 
(a,b,b), with a ^ b. In the case (a, a, b), the i = 2 column must have the form (c,d,d), for c 7^ d, in which case we 
can permute the i = 1 and i — - 2 columns to recover the form a, b, b for the i — - 1 column. Rclabcllings always put 
such cases into forms with o = or 6 = or 6 = 1. Q£ T> 

Suppose Alice inputs (|0) + |1)) into a function of the form given in Table HT1 After tracing out Bob's systems, 
Alice holds one of 
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f * 6)1 (|01X11| + |11)(01|) + |16X16|). 
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Measurement using the set {E itk = 


\ik)(ik\} in 


effect reverts to an honest strategy. 


The probability of correctly 



guessing Bob's input using these operators is the same as that for Alice's best honest strategy. These operators can 
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be combined to form just three operators, {Ej>} such that a result corresponding to Ey means that Alice's best guess 
of Bob's input is f. Then 

E Q = ai|00)(00|+^,o|10)<10| + 5 ai i|ll)(ll|+5 a)2 |12)<12|+<5 a! 3|13)(13| (17) 
E l = (l-a 1 )|00)<00|+a 2 <J M |10)(10| + a3^ > il 11 X 11 l+«4'J6,2|12)(12|+a 5 5 M |13Xl3| (18) 
E 2 = 1-E -E U (19) 

where the {ai} are arbitrary parameters, < ai < 1, and do not affect the success probability. We will show that such 
a measurement is not optimal to distinguish between the corresponding {pj}. This follows from an existing result in 
state estimation theory, as stated in the following theorem 

Theorem 2. Consider using a set of M measurement operators, {Ej}, to discriminate between a set of M states, 
{pj}, which occur with prior probabilities, {qj}, where the outcome corresponding to operator Ej indicates that the 
best guess of the state is pj. The set {Ej} is optimal if and only if 

E j (q jPj -q l p l )E l = Vj,l (20) 
X /; ./ 'hi" > VI. (21) 



In the case of uniform prior probabilities, Equations (I20[) and (|2"Tjl imply respectively 

(ax = or a 2 = or 6 ^ 0) and (a x = 1 or 0) and (22) 

(ax — 1 or ct2 — 1 or b ^ 0) and (0:3 — or 6^1), 

and 

6=1 or 03 > — J and ^6 = or a 2 (l — ai) > — ^ and (a = 1 or CH3 = 1 or 6 ^ 1) and 

(ai =0 or (6^0 and a ^ 0)) and (ai = 1 or b ^ or a 2 = 0) (23) 

In addition, because the function is in the form given in Table [ill we a ls° have 

(a = or 6 = or 6 = 1) and a ^ b. (24) 

The system of equations (|2"2"H!M)) cannot be satisfied for any values of a,b,{ak}- Hence, the measurement operators 
(fl~7HT9|) are not optimal for discriminating between Bob's inputs, so Alice always has a cheating strategy. Q£T> 

Our proof of Theorem[T]is non-constructive — we have shown that cheating is possible, but not explicitly how it can 
be done. Except in special cases (e.g., where the states {pj} are symmetric), no procedure for finding the optimal 
POVM to distinguish between states is known Nevertheless, we have found a construction based on the square 

root measurement [TlL [l2j that, while not being optimal, gives a higher probability of successfully guessing Bob's 
input than any honest strategy. 

The strategy applies to the states, o~j, formed when Alice inputs (|0) + |1) + |2)). The set of operators arc those 
corresponding to the square root measurement, defined by 



/■ h>- ^ » ■ ( 25 ) 




One can verify, case by case, that this strategy affords Alice a better guessing probability over Bob's input than any 
honest one for all functions of the form of Table [TTJ The Mathematica script which we have used to check this is 
available on the world wide web 1131 . 
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TABLE III: The entries in the table give the probabilities of output given inputs For example, if both parties input 0, 
then the output of the function is with probability poo, and 1 with probability 1 — poo- 



IV. NON-DETERMINISTIC FUNCTIONS 



A. Two-sided case 



Initially, we specialize to the case i,j, k € {0, 1}. We specify such functions via a matrix of probabilities as given in 
Table Hill For the two-sided case, the relevant black box implements the unitary, U, given by 

U \i) A \j) B |0) |0) = \i) A \j) B {VpU\00) ab + V^P^ \ u )ab) ■ (26) 

Suppose that Alice has prior information about Bob's input such that, from her perspective, he will input with 
probability qo, and 1 with probability q\ = 1 — qo. The maximum probability of correctly guessing Bob's input using 
an honest strategy is 

p h = max(max(pijqj) + max((l - p tj )q.j)). (27) 

» 3 3 

Denote Alice's final state by pj, where j is Bob's input. The optimal strategy to distinguish po and p\ is successful 
with probability [|| 

i(l+tr|(R,po-«iPi|). (28) 

Theorem 3. Let Alice input (|0) + |1)) and Bob input j into the computation given in \2b}) . Let Alice implement 
the optimal measurement to distinguish the corresponding po and p\ and call the probability of a correct guess using 
this measurement p c . Then, for all {poo,Poi,Pio,Pu}, there exists a value of qo such that p c > ph, unless, 

1. poo = pio and p i = pn, or 

2. Poo = Poi and p w = p\\. 



The two exceptional cases correspond to functions for which only one party can make a meaningful input. We 
hence conclude that all genuinely two-input functions of this type are impossible to compute securely. 

Proof. Take go = 1 — e. For sufficiently small e > 0, P7| implies ph = qo- We then seek p c . The eigenvalues of 
Qo Po ~ qi Pi are 



a({p. u })±^ai({p lJ }) + b({p lJ })^j (29) 
a({Pij}) ± y/a 2 ({pij}) + K{pij})) > (30) 



1 

M± = 4 

where a({p itj }) = (p 00 +Pio)?o - (Poi +Pu)qi, HiPij}) = 4 (%/PoiPio - y/PooPn) 2 qoqi, and p~= 1 -p tj . 

For e sufficiently small, we have a ^> b > 0. Using y/l + x < I + |, we find, A+ > j(2o({j>i,j}) + 2a({p — }) ^ 

A- < ~^£j 1 ,p+ > I(2a({p7-}) + ^g^),and M _ < -^i^, with equality iff 6(fe J }) = and 6({p-}) = 0. 

We hence have | (1 + tr\qoPo — 9iPi|) > qo an d so p c > ph, with equality iff poo — Pio and poi = Pn, or p 00 = poi and 
Pio=Pn- Q£T> 

The explicit form of the cheating measurement is given in 0] . 
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TABLE IV: Probability table for oblivious transfer. 



B. One-sided case 



For one-sided computations of non-deterministic functions, Alice can cheat without inputting a superposed state. 
In this case, the black box performs the unitary 

U\i) A \j) B \0) = ^ a \j)b(Vp^\°)a + V^P^Wa)^ (31) 

where the last qubit goes to Alice at the end of the protocol. The following theorem shows that such computations 
cannot be securely implemented. 

Theorem 4. Having made an honest input to the black box above, Alice 's optimum procedure to correctly guess Bob 's 
input is not given by a measurement in the {|0) , |1)} basis, except if ptj € {0, 1} for all i, j . 

Proof. From (|20| of Theorem[2l if Alice inputs i = 1, the measurement operators {|0)(0|, |1)(1|} are optimal only if 

Qo vVioCl -Pio) = (1 - ?o)\/pii(1 -Pu)- (32) 

For this to hold for all qo, we require that either pn = or pn = 1, and either pio — or piq = 1. Similarly, if 
Alice inputs i — 0, we require either poi = or poi = 1, and either poo = or poo = 1) in order that the specified 
measurement operators are optimal. Q£T> 

These exceptions correspond to functions that are deterministic, so do not properly fall into the class presently 
being discussed. Many are essentially single-input, hence trivial, and all such exceptions are either degenerate or not 
potentially concealing. 

Our theorem also has the following consequence. 

Corollary 1. One-sided variable-bias coin tossing 0/ is impossible. 

Proof. A one-sided variable bias coin toss is the special case where both p 00 = p w and poi — Pn- These cases are not 
exceptions of Theorem |4j and hence are impossible. Q£T> 



C. Example: The Impossibility Of Oblivious Transfer 



Here we show explicitly how to attack a black box that performs oblivious transfer when used honestly. This is a 
second proof of its impossibility in a stand-alone manner (the first being Rudolph's [Hj])- 5 The probability table for 
this task is given in Table llVl 

In an honest implementation of oblivious transfer, Bob is able to guess Alice's input with probability |. However, 
the final states after using the ideal black box are of the form \ipb) = ^ (\b) + |?)), where |0), |1) and |?) are mutually 
orthogonal. These are optimally distinguished using the POVM (Eq, 1 — Eq), where 

l (2+y/3 -1 l + V^A 

e o=q\ -1 2 - V3 1 - V3 . (33) 
\ 1 + V3 1-VS 2 J 

This POVM allows Bob to guess Alice's bit with probability 5 (1 + ^ ) ; which is significantly greater than |. 



Impossibility had previously been argued on the grounds that oblivious transfer implies bit commitment and hence is impossible because 
bit commitment is. However, while this argument rules out the possibility of a composable oblivious transfer protocol, a stand-alone 
one is not excluded. 
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V. DISCUSSION 

We have introduced a black box model of computation, and have given a necessary condition for security. Even 
if such black boxes were to exist as prescribed by the model, one party can always break the security condition. 
Specifically, by inputting a superposed state rather than a classical one, and performing an appropriate measurement 
on the outcome state, one party can always gain more information on the input of the other than that gained using 
any honest strategy. In the case of deterministic functions, this attack has only been shown to work if the function is 
non-degenerate and potentially concealing. In the case where the sole purpose of the function is to learn something 
about the other party's input, these are the only relevant functions. 

Our theorems deal only with the simplest cases of each class of function. However, the results can be extended to 
more general functions as described below. 

Larger input alphabets: A deterministic function is impossible to compute securely if it possesses a 3 x 3 
submatrix which is potentially concealing and satisfies the degeneracy requirement. This follows because Alice's prior 
might be such that she can reduce Bob to three possible values of j. This argument does not rule out the possibility 
of all larger functions, since some exist that are potentially concealing without possessing a potentially concealing 
3x3 subfunction. Nevertheless, we conjecture that all potentially concealing functions have a cheating attack which 
involves inputting a superposition and then optimally measuring the outcome. 

In the non-deterministic case, all functions with more possibilities for i and j values possess 2x2 submatrices 
that are ruled out by the attacks presented, or reduce to functions that are one-input. Therefore, no two-party 
non-deterministic computations with binary outputs can satisfy our security condition. 

Larger output alphabets: In the non-deterministic case, we considered only binary outputs. We conjecture that 
the attacks we have presented work more generally on functions with a larger range of possible outputs. 

We have not proven that the aforementioned attacks work for all functions within the classes given in Table [H 
although we conjecture this to be the case. Furthermore, for any given computation, one can use the methods 
presented in this work to verify its vulnerability under such attacks. 

We now briefly place our results within the context of universal security definitions. In classical cryptography, there 
are two common models for universal security, one introduced by Canetti [l5| and the other by Backes, Pfitzmann 
and Waidner [l6|, [ijj • Recently, such frameworks have been extended for use in quantum protocols [H, [2(| ■ The 
idea is that if a protocol is universally secure (or universally composable) , then it can be used as a subprotocol in any 
larger protocol. The large protocol can then be divided into subprotocols, each of which is assumed to behave as a 
black box with a defined ideal functionality 6 . The task of proving the larger protocol secure then reduces to that of 
proving that the subprotocols correctly mimick their ideals, together with an argument that the combination of the 
ideals correctly performs the overall task. 

Our results imply that there is no way to define an ideal suitable for realizing secure classical computation in a 
quantum relativistic framework. Hence, without making additional assumptions, or invoking the presence of a trusted 
third party, secure classical computation is impossible using the usual notions of security. The quantum relativistic 
world, while offering more cryptographic power than both classical and quantum non-relativistic worlds, still does not 
permit a range of computational tasks. 

One reasonable form of additional assumption is that the storage power of an adversary is bounded. The so- 
called bounded storage model has been used in both classical and quantum settings. This model evades our no-go 
results because limiting the quantum storage power of an adversary forces them to make measurements (or discard 
potentially useful parts of the system). This invalidates our unitary model of computation. In the classical bounded 
storage model, the adversary's memory size can be at most quadratic in the memory size of the honest parties in 
order to form secure protocols (2ll. |22|. However, if quantum protocols are considered, and an adversary's quantum 
memory is limited, a much wider separation is possible. Protocols exist for which the honest participants need no 
quantum memory, while the adversary needs to store half of the qubits transmitted in the protocol in order to cheat 
successfully (23|. 

We further remark that the cheating strategy we present for the non-deterministic case does not work for all 
assignments of Alice's prior over Bob's inputs — there exist functions and values of the prior for which it is impossible 
to cheat using the attack we have presented. This continues to be the case when we allow Alice to choose amongst the 
most general superposed input states. As a concrete example, consider the set {poo,Poi,Pio,Pii) — {j§q : §> §)> 
with qo = | in the two sided version. Hence, in practice, there could be situations in which Bob would be happy to 
perform such a computation, for example, if he was sure Alice had no prior information over his inputs. 



6 Or can alternatively be described via a trusted third party 
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